The place to whip up some quick knowledge
Cyber Security Cookbook
Chapters
hack the world
hack the world
Acronyms A-Z Security+ Obj-701
-
AAA Authentication, Authorization, and Accounting
ACL Access Control List
AES Advanced Encryption Standard
AES-256 Advanced Encryption Standards 256-bit
AH Authentication Header
AI Artificial Intelligence
AIS Automated Indicator Sharing
ALE Annualized Loss Expectancy
AP Access Point
API Application Programming Interface
APT Advanced Persistent Threat
ARO Annualized Rate of Occurrence
ARP Address Resolution Protocol
ASLR Address Space Layout Randomization
ATT&CK Adversarial Tactics, Techniques, and Common Knowledge
AUP Acceptable Use Policy
AV Antivirus
-
BASH Bourne Again Shell
BCP Business Continuity Planning
BGP Border Gateway Protocol
BIA Business Impact Analysis
BIOS Basic Input/Output System
BPA Business Partners Agreement
BPDU Bridge Protocol Data Unit
BYOD Bring Your Own Device
-
CA Certificate Authority
CAPTCHA Completely Automated Public Turing Test to Tell Computers and Humans Apart
CAR Corrective Action Report
CASB Cloud Access Security Broker
CBC Cipher Block Chaining
CCMP Counter Mode/CBC-MAC Protocol
CCTV Closed-circuit Television
CERT Computer Emergency Response Team
CFB Cipher Feedback
CHAP Challenge Handshake Authentication Protocol
CIA Confidentiality, Integrity, Availability
CIO Chief Information Officer
CIRT Computer Incident Response Team
CMS Content Management System
COOP Continuity of Operation Planning
COPE Corporate Owned, Personally Enabled
CP Contingency Planning
CRC Cyclical Redundancy Check
CRL Certificate Revocation List
CSO Chief Security Officer
CSP Cloud Service Provider
CSR Certificate Signing Request
CSRF Cross-site Request Forgery
CSU Channel Service Unit
CTM Counter Mode
CTO Chief Technology Officer
CVE Common Vulnerability Enumeration
CVSS Common Vulnerability Scoring System
CYOD Choose Your Own Device
-
DAC Discretionary Access Control
DBA Database Administrator
DDoS Distributed Denial of Service
DEP Data Execution Prevention
DES Digital Encryption Standard
DHCP Dynamic Host Configuration Protocol
DHE Diffie-Hellman Ephemeral
DKIM DomainKeys Identified Mail
DLL Dynamic Link Library
DLP Data Loss Prevention
DMARC Domain Message Authentication Reporting and Conformance
DNAT Destination Network Address Translation
DNS Domain Name System
DoS Denial of Service
DPO Data Privacy Officer
DRP Disaster Recovery Plan
DSA Digital Signature Algorithm
DSL Digital Subscriber Line
-
EAP Extensible Authentication Protocol
ECB Electronic Code Book
ECC Elliptic Curve Cryptography
ECDHE Elliptic Curve Diffie-Hellman Ephemeral
ECDSA Elliptic Curve Digital Signature Algorithm
EDR Endpoint Detection and Response
EFS Encrypted File System
ERP Enterprise Resource Planning
ESN Electronic Serial Number
ESP Encapsulated Security Payload
-
FACL File System Access Control List
FDE Full Disk Encryption
FIM File Integrity Management
FPGA Field Programmable Gate Array
FRR False Rejection Rate
FTP File Transfer Protocol
FTPS Secured File Transfer Protocol
-
GCM Galois Counter Mode
GDPR General Data Protection Regulation
GPG Gnu Privacy Guard
GPO Group Policy Object
GPS Global Positioning System
GPU Graphics Processing Unit
GRE Generic Routing Encapsulation
-
HA High Availability
HDD Hard Disk Drive
HIDS Host-based Intrusion Detection System
HIPS Host-based Intrusion Prevention System
HMAC Hashed Message Authentication Code
HOTP HMAC-based One-time Password
HSM Hardware Security Module
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
HVAC Heating, Ventilation Air Conditioning
-
IaaS Infrastructure as a Service
IaC Infrastructure as Code
IAM Identity and Access Management
ICMP Internet Control Message Protocol
ICS Industrial Control Systems
IDEA International Data Encryption Algorithm
IDF Intermediate Distribution Frame
IdP Identity Provider
IDS Intrusion Detection System
IEEE Institute of Electrical and Electronics Engineers
IKE Internet Key Exchange
IM Instant Messaging
IMAP Internet Message Access Protocol
IoC Indicators of Compromise
IoT Internet of Things
IP Internet Protocol
IPS Intrusion Prevention System
IPSec Internet Protocol Security
IR Incident Response
IRC Internet Relay Chat
IRP Incident Response Plan
ISO International Standards Organization
ISP Internet Service Provider
ISSO Information Systems Security Officer
IV Initialization Vector
-
KDC Key Distribution Center
KEK Key Encryption Key
-
L2TP Layer 2 Tunneling Protocol
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
LEAP Lightweight Extensible Authentication Protocol
-
MaaS Monitoring as a Service
MAC Mandatory Access Control
MAC Media Access Control
MAC Message Authentication Code
MAN Metropolitan Area Network
MBR Master Boot Record
MD5 Message Digest 5
MDF Main Distribution Frame
MDM Mobile Device Management
MFA Multifactor Authentication
MFD Multifunction Device
MFP Multifunction Printer
ML Machine Learning
MMS Multimedia Message Service
MOA Memorandum of Agreement
MOU Memorandum of Understanding
MPLS Multi-protocol Label Switching
MSA Master Service Agreement
MSCHAP Microsoft Challenge Handshake Authentication Protocol
MSP Managed Service Provider
MSSP Managed Security Service Provider
MTBF Mean Time Between Failures
MTTF Mean Time to Failure
MTTR Mean Time to Recover
MTU Maximum Transmission Unit
-
NAC Network Access Control
NAT Network Address Translation
NDA Non-disclosure Agreement
NFC Near Field Communication
NGFW Next-generation Firewall
NIDS Network-based Intrusion Detection System
NIPS Network-based Intrusion Prevention System
NIST National Institute of Standards & Technology
NTFS New Technology File System
NTLM New Technology LAN Manager
NTP Network Time Protocol
-
OAUTH Open Authorization
OCSP Online Certificate Status Protocol
OID Object Identifier
OS Operating System
OSINT Open-source Intelligence
OSPF Open Shortest Path First
OT Operational Technology
OTA Over the Air
OVAL Open Vulnerability Assessment Language
-
P12 PKCS #12
P2P Peer to Peer
PaaS Platform as a Service
PAC Proxy Auto Configuration
PAM Privileged Access Management
PAM Pluggable Authentication Modules
PAP Password Authentication Protocol
PAT Port Address Translation
PBKDF2 Password-based Key Derivation Function 2 - 140 Mark
PBX Private Branch Exchange
PCAP Packet Capture
PCI DSS Payment Card Industry Data Security Standard
PDU Power Distribution Unit
PEAP Protected Extensible Authentication Protocol
PED Personal Electronic Device
PEM Privacy Enhanced Mail
PFS Perfect Forward Secrecy
PGP Pretty Good Privacy
PHI Personal Health Information
PII Personally Identifiable Information
PIV Personal Identity Verification
PKCS Public Key Cryptography Standards
PKI Public Key Infrastructure
POP Post Office Protocol
POTS Plain Old Telephone Service
PPP Point-to-Point Protocol
PPTP Point-to-Point Tunneling Protocol
PSK Pre-shared Key
PTZ Pan-tilt-zoom
PUP Potentially Unwanted Program
-
RA Recovery Agent
RA Registration Authority
RACE Research and Development in Advanced Communications Technologies in Europe
RAD Rapid Application Development
RADIUS Remote Authentication Dial-in User Service
RAID Redundant Array of Inexpensive Disks
RAS Remote Access Server
RAT Remote Access Trojan
RBAC Role-based Access Control
RBAC Rule-based Access Control
RC4 Rivest Cipher version 4
RDP Remote Desktop Protocol
RFID Radio Frequency Identifier
RIPEMD RACE Integrity Primitives Evaluation Message Digest
ROI Return on Investment
RPO Recovery Point Objective
RSA Rivest, Shamir, & Adleman
RTBH Remotely Triggered Black Hole
RTO Recovery Time Objective
RTOS Real-time Operating System
RTP Real-time Transport Protocol
-
S/MIME Secure/Multipurpose Internet MailExtensions
SaaS Software as a Service
SAE Simultaneous Authentication of Equals
SAML Security Assertions Markup Language
SAN Storage Area Network
SAN Subject Alternative Name
SASE Secure Access Service Edge
SCADA Supervisory Control and Data Acquisition
SCAP Security Content Automation Protocol
SCEP Simple Certificate Enrollment Protocol
SD-WAN Software-defined Wide Area Network
SDK Software Development Kit
SDLC Software Development Life Cycle
SDLM Software Development LifecycleMethodology
SDN Software-defined Networking
SE Linux Security-enhanced Linux
SED Self-encrypting Drives
SEH Structured Exception Handler
SFTP Secured File Transfer Protocol
SHA Secure Hashing Algorithm
SHTTP Secure Hypertext Transfer Protocol
SIEM Security Information and Event Management
SIM Subscriber Identity Module
SLA Service-level Agreement
SLE Single Loss Expectancy
SMS Short Message Service
SMTP Simple Mail Transfer Protocol
SMTPS Simple Mail Transfer Protocol Secure
SNMP Simple Network Management Protocol
SOAP Simple Object Access Protocol
SOAR Security Orchestration, Automation,
Response
SoC System on Chip
SOC Security Operations Center
SOW Statement of Work
SPF Sender Policy Framework
SPIM Spam over Internet Messaging
SQL Structured Query Language
SQLi SQL Injection
SRTP Secure Real-Time Protocol
SSD Solid State Drive
SSH Secure Shell
SSL Secure Sockets Layer
SSO Single Sign-on
STIX Structured Threat Information eXchange
SWG Secure Web Gateway
-
TACACS+ Terminal Access Controller Access Control
System
TAXII Trusted Automated eXchange of Indicator
Information
TCP/IP Transmission Control Protocol/Internet
Protocol
TGT Ticket Granting Ticket
TKIP Temporal Key Integrity Protocol
TLS Transport Layer Security
TOC Time-of-check
TOTP Time-based One-time Password
TOU Time-of-use
TPM Trusted Platform Module
TTP Tactics, Techniques, and Procedures
TSIG Transaction Signature
-
UAT User Acceptance Testing
UAV Unmanned Aerial Vehicle
UDP User Datagram Protocol
UEFI Unified Extensible Firmware Interface
UEM Unified Endpoint Management
UPS Uninterruptable Power Supply
URI Uniform Resource Identifier
URL Universal Resource Locator
USB Universal Serial Bus
USB OTG USB On the Go
UTM Unified Threat Management
UTP Unshielded Twisted Pair
-
VBA Visual Basic
VDE Virtual Desktop Environment
VDI Virtual Desktop Infrastructure
VLAN Virtual Local Area Network
VLSM Variable Length Subnet Masking
VM Virtual Machine
VoIP Voice over IP
VPC Virtual Private Cloud
VPN Virtual Private Network
VTC Video Teleconferencing
-
WAF Web Application Firewall
WAP Wireless Access Point
WEP Wired Equivalent Privacy
WIDS Wireless Intrusion Detection System
WIPS Wireless Intrusion Prevention System
WO Work Order
WPA Wi-Fi Protected Access
WPS Wi-Fi Protected Setup
WTLS Wireless TLS
-
XDR Extended Detection and Response
XML Extensible Markup Language
XOR Exclusive Or
XSRF Cross-site Request Forgery
XSS Cross-site Scripting
Attack Types
-
Description: Sending fraudulent emails that appear to be from a trusted source to obtain sensitive information or install malware.
Variants:
Spear Phishing: Targeting specific individuals or organizations with personalized messages.
Whaling: Targeting high-profile individuals like executives.
Vishing/Smishing: Phishing through voice calls/SMS.
-
Description: Intercepting and altering communications between two parties without their knowledge.
Techniques:
ARP Spoofing: Manipulating ARP tables to redirect network traffic.
DNS Spoofing/Poisoning: Modifying DNS responses to redirect users to malicious sites.
-
Description: Overloading a target server with excessive traffic, making it unavailable.
Types of DDoS Attacks:
Volumetric: Saturating bandwidth with high traffic volume (e.g., DNS amplification).
Application-Layer: Exploiting application vulnerabilities (e.g., HTTP flood).
Protocol-Based: Targeting network protocols (e.g., SYN flood).
-
Description: Injecting malicious SQL queries into input fields to manipulate backend databases.
Effects: Unauthorized data access, database modification, denial of service.
-
Description: Injecting malicious scripts into web pages viewed by other users.
Types of XSS:
Reflected: Script executed immediately after user input is reflected in the response.
Stored: Script stored on the server and executed for every user viewing that page.
DOM-Based: Script execution is entirely client-side.
-
Description: Compromising a website frequented by specific targets to distribute malware.
Target Selection: Adversaries identify frequently visited websites and infect them with malware.
-
Description: Capturing keystrokes to obtain sensitive information such as passwords and credit card numbers.
Types:
Hardware Keylogger: Physical device between keyboard and computer.
Software Keylogger: Malicious program recording key inputs.
-
Description: Malicious code triggered under specific conditions, such as a specific date or action.
Purpose: Disrupting operations or corrupting data after predefined triggers.
Malware Types
-
Virus:
Infects files or programs and needs user action to spread.
Can corrupt data, delete files, or modify system settings.
Worm:
Self-replicating malware spreading across networks without user interaction.
-
Description: Malicious software disguised as legitimate applications.
Functionality:
Opens backdoors, exfiltrates data, and installs other malware.
-
Description: Encrypts data and demands a ransom for its decryption.
Variants:
Crypto Ransomware: Encrypts files on the victim’s system.
Locker Ransomware: Prevents access to the system by locking the screen.
-
Description: Software designed to gain unauthorized root-level access and remain undetected.
Persistence: Alters system files to avoid detection by anti-malware tools.
-
Adware:
Displays unwanted advertisements and can collect user data for targeted ads.
Spyware:
Monitors user activity, including browsing habits and keystrokes.
-
Description: Unwanted software pre-installed on new devices.
Impact: Slows down the system and consumes storage.
-
Description: Operates entirely in memory without writing to disk, making detection harder.
Techniques: Exploits legitimate tools like PowerShell and WMI.
OSI Model Breakdown
-
Activities: User interface, web browsing, email, file transfers, and application protocols.
Protocols: HTTP, HTTPS, DNS, FTP, Telnet, SSH, SMTP, IMAP, SNMP.
Attack Vectors:
Remote Code Execution (RCE): Exploiting buffer overflows and other vulnerabilities.
Phishing Attacks: Deceptive emails/websites to steal user credentials.
App-Level DoS: Flooding web services with HTTP requests or resource exhaustion.
Controls:
Regular patching, Web Application Firewalls (WAF), input validation, disable unused services.
-
Activities: Data encoding/decoding, compression/encryption.
Protocols: SSL/TLS, JPEG, GIF, MPEG, ASCII, EBCDIC.
Attack Vectors:
Malicious Code Injection: Injecting scripts/malware into files and encoded data.
Phishing: Exploiting vulnerabilities in encoded data to deceive users.
Exploits: Attacking vulnerabilities like buffer overflow or format string attacks.
Controls:
Input validation and sanitization, secure data serialization libraries, encryption updates.
-
Activities: Establishes, manages, and terminates communication sessions.
Protocols: NetBIOS, RPC, PPTP, SMB.
Attack Vectors:
Session Hijacking: Taking over active sessions using brute force or token attacks.
Brute Force: Repeatedly guessing passwords/tokens to access sessions.
Controls:
Secure authentication, randomize session IDs, enforce strict session expiration policies.
-
Activities: Ensures end-to-end data delivery, TCP/UDP protocols.
Protocols: TCP, UDP, SCTP, SSL/TLS.
Attack Vectors:
SYN Floods: Exhausting TCP sessions through excessive connection requests.
Session Hijacking: Gaining control over an active session.
TLS Attacks: Exploiting outdated encryption protocols like POODLE.
Controls:
SYN cookies, updated TLS versions, firewall monitoring for anomalies, token expiration.
-
Activities: Routing and logical addressing (IPv4/IPv6), path determination.
Protocols: IPv4, IPv6, IPsec, ICMP, OSPF, BGP.
Attack Vectors:
Reconnaissance: ICMP scans to gather information on the network.
MITM (Man-in-the-Middle): IP spoofing to intercept traffic.
DoS: ICMP floods, Ping of Death, and denial-of-service attacks.
Controls:
Network segmentation, IDS/IPS to detect spoofing/scanning, IPsec for encryption.
-
Activities: Frames data, error detection and correction, logical addressing.
Protocols: Ethernet (802.3), Wi-Fi (802.11), VLAN (802.1Q), ARP, PPP.
Attack Vectors:
MAC Spoofing: Faking MAC addresses to bypass filters.
ARP Spoofing: Manipulating ARP messages to intercept traffic.
VLAN Hopping: Gaining unauthorized access to a different VLAN.
Controls:
MAC address filtering, ARP spoofing protection, VLAN isolation and port security.
-
Activities: Media, signal, and binary transmission over cables and wireless signals.
Protocols: RS-232, RS-485, DSL, ISDN, 802.11 (Wi-Fi).
Attack Vectors:
Sniffing: Monitoring network signals through wireless or wired transmission.
Spoofing: Impersonating device identities through tampered MAC addresses.
Tampering: Gaining physical access to devices or cables to intercept data.
Controls:
Physical security (access control, CCTV), regular infrastructure inspections, secure cabling.
Types of Firewall
-
• Filter traffic by port number or application
– OSI layer 4 vs. OSI layer 7
– Traditional vs. NGFW firewalls
• Encrypt traffic
– VPN between sites
• Most firewalls can be layer 3 devices (routers)
– Often sits on the ingress/egress of the network
– Network Address Translation (NAT) functionality
– Authenticate dynamic routing communication
-
• Unified Threat Management (UTM) /
– Web security gateway
• URL filter / Content inspection
– Malware inspection
• Spam filter
– CSU/DSU
• Router, Switch
– Firewall
• IDS/IPS
– Bandwidth shaper
– VPN endpoint
-
• The OSI Application Layer
– All data in every packet
• Can be called different names
– Application layer gateway
– Stateful multilayer inspection
– Deep packet inspection
• Requires some advanced decodes
– Every packet must be analyzed and categorized
before a security decision is determined
• Network-based Firewalls
– Control traffic flows based on the application
– Microsoft SQL Server, Twitter, YouTube
• Intrusion Prevention Systems
– Identify the application
– Apply application-specific vulnerability signatures to the traffic
• Content filtering
– URL filters
– Control website traffic by category
-
• Not like a “normal” firewall
– Applies rules to HTTP/HTTPS conversations
• Allow or deny based on expected input
– Unexpected input is a common method of exploiting an application
• SQL injection
– Add your own commands to an application’s SQL query
• A major focus of Payment Card Industry Data Security
Standard (PCI DSS)
-
Inspect packets in isolation
No tracking of connection states
Based on predefined rules (source/destination IP, port, protocol)
-
Track the state of active connections
Make decisions based on the context of traffic
More dynamic and secure than stateless firewalls
Types of VPN Protocols
-
Speed: Fast.
Encryption & Secure Browsing: Poor.
Stability: Medium.
Media Streaming: Good.
P2P File Sharing: Good.
Compatibility: Most OS and devices.
-
Speed: Fast.
Encryption & Secure Browsing: Medium.
Stability: Good.
Media Streaming: Good.
P2P File Sharing: Good.
Compatibility: Most OS and devices.
-
Speed: Fast.
Encryption & Secure Browsing: Good.
Stability: Good.
Media Streaming: Good.
P2P File Sharing: Good.
Compatibility: Most OS and devices.
-
Speed: Medium.
Encryption & Secure Browsing: Good.
Stability: Good.
Media Streaming: Medium.
P2P File Sharing: Good.
Compatibility: Most OS and devices.
-
Speed: Fast.
Encryption & Secure Browsing: Good.
Stability: Good.
Media Streaming: Good.
P2P File Sharing: Good.
Compatibility: Most OS and devices.
-
Speed: Medium.
Encryption & Secure Browsing: Good.
Stability: Good.
Media Streaming: Medium.
P2P File Sharing: Medium.
Compatibility: Windows.
Incident Response Steps
1. Preparation:
Objective: Ensure the organization is ready to handle incidents effectively.
Activities:
Develop and maintain an incident response policy and plan.
Set up a dedicated Incident Response Team (IRT).
Provide regular training and awareness programs.
Implement tools for logging, monitoring, and alerting.
Identify critical assets and prioritize them in the incident response plan.
3. Analysis:
Objective: Understand the scope, impact, and cause of the incident.
Activities:
Gather and analyze evidence (e.g., logs, files) to identify the source.
Determine which systems are affected and assess the impact.
Establish a timeline of the attack and how the adversary gained access.
Assess the root cause to prevent further exploitation.
5. Eradication:
Objective: Eliminate the root cause and artifacts of the incident.
Activities:
Remove malware, infected files, and compromised credentials.
Identify and close backdoors or unauthorized accounts.
Apply patches and update configurations to address vulnerabilities.
Conduct a security review to ensure complete eradication.
2. Detection & Identification:
Objective: Recognize suspicious activities and confirm whether an incident has occurred.
Activities:
Monitor systems for signs of compromise using SIEMs, IDS/IPS, and logging.
Analyze alerts and logs for unusual or unauthorized behavior.
Correlate data from various sources to identify patterns.
Use threat intelligence to recognize known indicators of compromise (IoCs).
4. Containment:
Objective: Prevent the incident from causing further damage.
Activities:
Implement short-term containment to stop the attack's progression.
Isolate affected systems or segments from the network.
Apply firewall rules or ACLs to block malicious traffic.
Patch exploited vulnerabilities or disable compromised accounts.
6. Recovery:
Objective: Restore normal operations while ensuring the incident is resolved.
Activities:
Restore systems from clean backups or reinstall software.
Monitor systems for signs of reinfection or further compromise.
Confirm that security controls are functional and effective.
Communicate with stakeholders about the resolution.
7. Lessons Learned:
Objective: Improve future incident response based on insights gained.
Activities:
Conduct a post-incident review to identify strengths and weaknesses.
Update the incident response plan based on findings.
Provide additional training or awareness if required.
Document all actions taken and lessons learned for future reference
Types of Security Controls
1. Technical Controls:
Description: Technological measures implemented in hardware or software to protect resources.
Examples:
Firewalls: Network firewalls block unauthorized network traffic.
Encryption: Encrypts data to protect its confidentiality and integrity.
Access Control Lists (ACLs): Filters who can access or modify files.
Multi-Factor Authentication (MFA): Requires multiple forms of authentication.
3. Operational Controls:
Description: Day-to-day actions and practices to maintain security.
Examples:
Change Management: Ensures changes to systems are planned and documented.
Incident Response Plans: Defines steps to manage security incidents.
Backup Strategies: Regular data backups ensure recovery after a disaster.
User Management: Regular review of user privileges and access rights.
2. Managerial Controls:
Description: Policies and procedures to enforce organizational security standards.
Examples:
Security Policies: Guidelines defining acceptable use of systems.
Risk Assessment: Identifies and analyzes security risks.
Training Programs: Educates employees on security best practices.
Vendor Management: Evaluates third-party security posture.
4. Physical Controls:
Description: Physical measures that prevent unauthorized access to premises or equipment.
Examples:
Access Cards/Biometrics: Restrict entry to authorized personnel.
Security Guards/CCTV: Monitor access and activities in restricted areas.
Fences/Barriers: Prevent unauthorized access to a building or facility.
Lock and Key Management: Restrict access to server rooms and data centers.
Types of Access Control Models
1. Role-Based Access Control (RBAC):
Description: Access permissions are assigned based on user roles in an organization.
Examples:
An HR manager can access HR data, but not finance data.
Pros: Easier to manage permissions for large organizations.
Cons: Roles must be carefully defined and managed.
3. Mandatory Access Control (MAC):
Description: Access permissions are centrally defined by a security policy.
Examples:
Users can only access resources as defined by the organization's security policies.
Pros: Highly secure and provides clear separation of access rights.
Cons: Complex to implement and manage.
2. Discretionary Access Control (DAC):
Description: Data owners decide who can access their resources.
Examples:
Users can set permissions for their files and folders.
Pros: Flexible and user-friendly.
Cons: Prone to unauthorized sharing due to user misconfiguration.
4. Attribute-Based Access Control (ABAC):
Description: Access is based on a combination of attributes such as user identity, resource type, and environment.
Examples:
A user can access financial data only if they are in the Finance department and during working hours.
Pros: Highly flexible and customizable.
Cons: Requires careful planning to avoid conflicting rules.
5. Rule-Based Access Control:
Description: Access permissions are granted based on a set of predefined rules.
Examples:
Allow or block access based on IP addresses, device types, etc.
Pros: Highly adaptable to specific conditions and needs.
Cons: Managing rules can become complicated as the organization grows.
Risk Assessment
-
• Purpose: Identify potential risks that could impact an organization.
Activities:
Weaknesses discovery via testing and audits.
Analysis of business processes and assets.
Creation of risk registers to document potential issues.
-
Purpose: Understand the potential impact and likelihood of identified risks.
Qualitative Analysis:
Collect input on significance via discussions and surveys.
Assess exposure factor (EF) to measure how much asset value is lost.
Quantitative Analysis:
Calculate Annualized Rate of Occurrence (ARO), Asset Value (AV), and Single Loss Expectancy (SLE).
Estimate Annualized Loss Expectancy (ALE) using the formula:
ALE = ARO × SLE.
-
Risk Management Strategies:
Transfer: Move the risk to another party (e.g., insurance).
Accept: A business decision to accept potential losses.
Avoid: Stop participating in high-risk activities.
Mitigate: Invest in controls to reduce the risk level.
Accept with Exemption/Exception: Internal policies may not apply due to specific circumstances.
-
Risk Appetite: The acceptable amount of risk to pursue opportunities.
Risk Tolerance: Limits within the risk appetite based on business goals and safety.
-
Objective: Regularly review risks to ensure up-to-date strategies.
Approach:
Ad hoc assessments for situational changes.
Recurring reviews (e.g., quarterly, annually).
Legal/mandated assessments (PCI DSS).
-
Purpose: Share risk information with management for decision-making.
Content:
Detailed documentation of each identified risk.
Impact analysis with prioritization for mitigation.
-
Metrics that highlight changes in risks, such as regulatory compliance changes or emerging threats
Data States, Protection & Classifications
Data at Rest:
Definition: Data stored on devices like hard drives, SSDs, and databases.
Protection:
Encryption: Whole disk encryption, file/folder encryption.
Permissions: Only authorized users have access.
Network Access Control: Restrict physical access to storage devices.
States of Data
Data in Use:
Definition: Data actively processed by systems (e.g., RAM, CPU caches).
Protection:
Access Controls: Secure tokens, password policies.
Secure Memory: Isolate memory segments to prevent data leakage.
Monitoring: Track access to sensitive information.
Data in Transit:
Definition: Data transmitted over networks (also called “in-motion”).
Protection:
Transport Encryption: Use protocols like TLS, IPsec, or VPNs.
Network Security: Firewalls, IDS/IPS, secure routing.
Network Segmentation: Limit exposure using VLANs and ACLs.
Protecting Data
Geographic Restrictions:
Network Location: Identify users by IP subnet, but less accurate with mobile devices.
Geolocation:
GPS: Provides accurate location for mobile devices.
Geofencing: Limits app access to users near the offices
Access Control:
Permission Restrictions: Access only given to authorized personnel.
Authentication Policies: Strong passwords, MFA, secure login.
Data Ownership & Classification
Data Classification:
Proprietary: Unique to an organization and may contain trade secrets.
PII (Personally Identifiable Information): Data identifying an individual.
PHI (Protected Health Information): Medical information related to individuals.
Network Location: Identify users by IP subnet, but less accurate with mobile devices.
Geolocation
GPS: Provides accurate location for mobile devices.
Geofencing: Limits app access to users near the office.
Access Control:
Permission Restrictions: Access only given to authorized personnel.
Authentication Policies: Strong passwords, MFA, secure login
Encryption:
Data Encryption: Whole disk encryption, secure file storage.
In-Transit: Use TLS/IPsec to encrypt data in motion.
Obfuscation: Substitute or shuffle sensitive data.
Hashing:
Message Digest: Represents data as a short, unique string.
Verification: Used to compare and verify the integrity of files.
Digital Signature: Provides authentication, non-repudiation, and integrity.
Ownership and Sovereignty:
Data Sovereignty: Data located within a country’s borders is subject to its laws.
GDPR: Enforces strict rules about storing EU citizens’ data in the EU.
Corporate Ownership: Clearly define who owns data internally and externally.
Encryption:
Data Encryption: Whole disk encryption, secure file storage.
In-Transit: Use TLS/IPsec to encrypt data in motion.
Obfuscation: Substitute or shuffle sensitive data.
Hashing:
Message Digest: Represents data as a short, unique string.
Verification: Used to compare and verify the integrity of files.
Digital Signature: Provides authentication, non-repudiation, and integrity.
Data Roles and Responsibilities
Data Responsibilities
Organizational Level:
Include relationships like ownership and management of data.
Responsibilities are often strategic rather than technical.
Data Roles:
Data Owner:
Accountable for specific data, usually a senior officer.
Example: VP of Sales for customer relationship data, Treasurer for financial data.
Data Controller:
Decides the purposes and methods for processing personal data.
Manages data access and compliance with legal requirements.
Data Processor:
Processes data on behalf of the data controller.
Can be an internal team or third-party service provider.
Payroll Controller and Processor:
Controller: Payroll department defines amounts and timeframes.
Processor: Payroll company processes payroll and stores employee data.
Data Custodian/Steward:
Responsible for data accuracy, privacy, and security.
Works directly with data to:
Associate sensitivity labels (e.g., public, confidential).
Ensure compliance with laws and standards.
Manage data access rights.
Implement security controls.
AT Classifications
Nation-State:
Attributes:
Location: External.
Resources: Extensive, backed by significant funding.
Sophistication: Very high, often employing APTs.
Motivations:
Data Exfiltration: Strategic data, espionage, intellectual property.
Political: Influence elections, destabilize governments.
War: Disrupt or weaken adversaries’ critical infrastructure.
Hacktivist:
Attributes:
Location: External.
Resources: Some funding.
Sophistication: Can be high depending on skill set.
Motivations:
Philosophical Beliefs: Oppose organizations that conflict with their beliefs.
Revenge/Disruption: Damage organizations through defacement or data leaks.
Chaos: Disrupt established systems or provoke authorities.
Organized Crime:
Attributes:
Location: External.
Resources: Often extensive, with structured groups.
Sophistication: Very high, including skilled hackers.
Motivations:
Financial Gain: Conduct large-scale ransomware campaigns or data theft.
Fraud/Blackmail: Use stolen data to extort or sell for profit.
Unskilled Threat Actors (Script Kiddies):
Attributes:
Location: External.
Resources: Limited, usually working alone or in small groups.
Sophistication: Very low, using pre-made scripts and tools.
Motivations:
Disruption: Cause downtime or confusion without specific goals.
Data Exfiltration: Exploit systems for basic data theft.
Philosophical Beliefs: Promote personal ideologies.
Insider Threat:
Attributes:
Location: Internal.
Resources: Extensive, often having insider knowledge.
Sophistication: Medium, leveraging institutional knowledge.
Motivations:
Revenge: Retaliate against the employer or organization.
Financial Gain: Sell data or secrets to third parties.
Disruption: Sabotage systems for competitive advantage.
Shadow IT:
Attributes:
Location: Internal.
Resources: Many, though often limited compared to legitimate IT.
Sophistication: Medium, using self-built or rogue infrastructure.
Motivations:
Innovate: Find ways to circumvent existing IT policies.
Convenience: Implement shadow systems for faster work.
Revenge: Operate outside internal controls due to perceived limitations.
Anything as a Service
Hardware as a service (HaaS)
is a procurement model that's similar to leasing or licensing. Hardware that belongs to a managed service provider (MSP) is installed at a customer's site and a service level agreement (SLA) defines the responsibilities of both parties.
Containers as a service (CaaS)
Is a form of container-based virtualization in which container engines, orchestration and the underlying compute resources are delivered to users as a service from a cloud provider.
Functions as a service (FaaS)
It provides a platform allowing customers to develop, run, and manage application functionalities without the complexity of building and maintaining the infrastructure.
Win Log Ids
-
Event ID 1074 (System Shutdown/Restart): This event log indicates when and why the system was shut down or restarted. By monitoring these events, you can determine if there are unexpected shutdowns or restarts, potentially revealing malicious activity such as malware infection or unauthorized user access.
Event ID 6005 (The Event log service was started): This event log marks the time when the Event Log Service was started. This is an important record, as it can signify a system boot-up, providing a starting point for investigating system performance or potential security incidents around that period. It can also be used to detect unauthorized system reboots.
Event ID 6006 (The Event log service was stopped): This event log signifies the moment when the Event Log Service was stopped. It is typically seen when the system is shutting down. Abnormal or unexpected occurrences of this event could point to intentional service disruption for covering illicit activities.
Event ID 6013 (Windows uptime): This event occurs once a day and shows the uptime of the system in seconds. A shorter than expected uptime could mean the system has been rebooted, which could signify a potential intrusion or unauthorized activities on the system.
Event ID 7040 (Service status change): This event indicates a change in service startup type, which could be from manual to automatic or vice versa. If a crucial service's startup type is changed, it could be a sign of system tampering.
sourced from htb*
-
Windows Security Logs
Event ID 1102 (The audit log was cleared): Clearing the audit log is often a sign of an attempt to remove evidence of an intrusion or malicious activity.
Event ID 1116 (Antivirus malware detection): This event is particularly important because it logs when Defender detects a malware. A surge in these events could indicate a targeted attack or widespread malware infection.
Event ID 1118 (Antivirus remediation activity has started): This event signifies that Defender has begun the process of removing or quarantining detected malware. It's important to monitor these events to ensure that remediation activities are successful.
Event ID 1119 (Antivirus remediation activity has succeeded): This event signifies that the remediation process for detected malware has been successful. Regular monitoring of these events will help ensure that identified threats are effectively neutralized.
Event ID 1120 (Antivirus remediation activity has failed): This event is the counterpart to 1119 and indicates that the remediation process has failed. These events should be closely monitored and addressed immediately to ensure threats are effectively neutralized.
Event ID 4624 (Successful Logon): This event records successful logon events. This information is vital for establishing normal user behavior. Abnormal behavior, such as logon attempts at odd hours or from different locations, could signify a potential security threat.
Event ID 4625 (Failed Logon): This event logs failed logon attempts. Multiple failed logon attempts could signify a brute-force attack in progress.
Event ID 4648 (A logon was attempted using explicit credentials): This event is triggered when a user logs on with explicit credentials to run a program. Anomalies in these logon events could indicate lateral movement within a network, which is a common technique used by attackers.
Event ID 4656 (A handle to an object was requested): This event is triggered when a handle to an object (like a file, registry key, or process) is requested. This can be a useful event for detecting attempts to access sensitive resources.
Event ID 4672 (Special Privileges Assigned to a New Logon): This event is logged whenever an account logs on with super user privileges. Tracking these events helps to ensure that super user privileges are not being abused or used maliciously.
Event ID 4698 (A scheduled task was created): This event is triggered when a scheduled task is created. Monitoring this event can help you detect persistence mechanisms, as attackers often use scheduled tasks to maintain access and run malicious code.
Event ID 4700 & Event ID 4701 (A scheduled task was enabled/disabled): This records the enabling or disabling of a scheduled task. Scheduled tasks are often manipulated by attackers for persistence or to run malicious code, thus these logs can provide valuable insight into suspicious activities.
Event ID 4702 (A scheduled task was updated): Similar to 4698, this event is triggered when a scheduled task is updated. Monitoring these updates can help detect changes that may signify malicious intent.
Event ID 4719 (System audit policy was changed): This event records changes to the audit policy on a computer. It could be a sign that someone is trying to cover their tracks by turning off auditing or changing what events get audited.
Event ID 4738 (A user account was changed): This event records any changes made to user accounts, including changes to privileges, group memberships, and account settings. Unexpected account changes can be a sign of account takeover or insider threats.
Event ID 4771 (Kerberos pre-authentication failed): This event is similar to 4625 (failed logon) but specifically for Kerberos authentication. An unusual amount of these logs could indicate an attacker attempting to brute force your Kerberos service.
Event ID 4776 (The domain controller attempted to validate the credentials for an account): This event helps track both successful and failed attempts at credential validation by the domain controller. Multiple failures could suggest a brute-force attack.
Event ID 5001 (Antivirus real-time protection configuration has changed): This event indicates that the real-time protection settings of Defender have been modified. Unauthorized changes could indicate an attempt to disable or undermine the functionality of Defender.
Event ID 5140 (A network share object was accessed): This event is logged whenever a network share is accessed. This can be critical in identifying unauthorized access to network shares.
Event ID 5142 (A network share object was added): This event signifies the creation of a new network share. Unauthorized network shares could be used to exfiltrate data or spread malware across a network.
Event ID 5145 (A network share object was checked to see whether client can be granted desired access): This event indicates that someone attempted to access a network share. Frequent checks of this sort might indicate a user or a malware trying to map out the network shares for future exploits.
Event ID 5157 (The Windows Filtering Platform has blocked a connection): This is logged when the Windows Filtering Platform blocks a connection attempt. This can be helpful for identifying malicious traffic on your network.
Event ID 7045 (A service was installed in the system): A sudden appearance of unknown services might suggest malware installation, as many types of malware install themselves as services.
HTTP Code Status
From LinkedIn
-
Will Link when Vet
Dehashed (Leaked Creds)
Security Trails (DNS Data)
Dark Search (Google Dorking)
ExploitDB (Exploit Archive)
ZoomEye (Info about Targets)
Pulsedive (Threat Intel)
GrayHatWarfare (Public S3 Buckets)
PolySwarm (Scan File and Urls)
Fofa (Threat Intel)
LeakIX (Web Server)
DNSDumpster (DNS Data)
FullHunt (Attack Surface)
AlientVault (Threat Intel)
Onyphe (Threat Intel)
Grey App (Git Repo Search)
Url Scan (Scan Website)
Vulners (Vulnerability Database)
WayBackMachine (Archived content)
Shodan (Devices on Internet)
Netias (Devices on Internet)
CRT.sh (Certs)
Wigle (Wireless Networks Database)
PublicWWW (Marketing Research)
Binary Edge (Threat Intel)
GreyNoise (Devices on Internet)
Hunter (Email Addresses)
Censys (Devices on Internet)
IntelligenceX (Tor, 12p, Data Leaks)
Packet Storm (Vulnerabilities & Exploits)
SearchCodem (Source Code Search)
-
Thanks to Daniel Kelley on LinkedIn
(all channels are hyperlinked for convivence)Black Hills Information Security — Everything cybersecurity related.
The Cyber Mentor — Ethical hacking, web-application hacking, and tools.
The Hated One — Research that explains cybersecurity conceptions.
MalwareTechBlog — Cybersecurity and reverse engineering content.
John Hammond — Malware analysis, programming, and careers.
BlackPerl — Malware analysis, forensics, and incident response.
Simply Cyber — Helps people with cybersecurity career development.
DEFCONConference — Everything from DEFCON cybersecurity event.
David Bombal — Everything cybersecurity related.
Offensive Security — Educational content and lab walkthroughs.
Day Cyberwox — Useful cloud security content and walkthroughs.
Security Weekly — Interviews with cybersecurity figures.
Computerphile — Covers basic concepts and techniques.
LiveOverflow — Involves hacking, write-up videos, and capture-the-flags.
Peter Yaworski — Web-application hacking tips and interviews.
Bugcrowd — Bug bounty methodology and interviews.
Z-winK University — Bug bounty education and demonstrations.
Professor Messer — Guides covering certifications.
Hak5 — General cybersecurity coverage.
Network Chuck — Everything cybersecurity related.
InfoSec Live — Everything from tutorials to interviews.
The PC Security Channel — Windows, malware news, and tutorials.
Infosec Institute — Cybersecurity awareness.
OWASP Foundation — Web-application security content.
SANS Offensive Operations — Technical cybersecurity videos.
Cyberspatial — Cybersecurity education and training.
Security Now — Cybercrime news, hacking, and web-application security.
Pentester Academy TV — Discussions and demonstrating attacks.
STÖK — Videos on tools, vulnerability analysis, and methodology.
Cyrill Gössi — Extensive cryptography videos.
InsiderPHD — How to get started with bug bounty hunting.
The XSS Rat — Everything bounty hunting.
Outpost Gray — Cybersecurity career development.
13Cubed — Videos on tools, forensics, and incident response.
Cyber CDH — Cybersecurity tools, tactics, and techniques.
Hack eXPlorer — General tutorials, tips, and techniques.
HackerSploit — Penetration testing, web-application hacking.
Nahamsec — Educational hacking and bug bounty videos.
Joe Collins — Everything Linux related, including tutorials and guides.
DC CyberSec — Generic cybersecurity coverage.
ITProTV — General cybersecurity coverage.
Black Hat — Technical cybersecurity conferences.
Null Byte — Cybersecurity for ethical hackers and computer scientists.
IppSec — Labs and capture-the-flag tutorials, HackTheBox etc.
This section is called “from linkedin” due to the fact that I see multiple posts that claim to help with research/learning. As I come across these I will be compiling them here, then vetting if the information is viable.